There has been much recent discussion/activity regarding the
announcement of reduced complexity collision attacks against SHA-1. In
particular it has caused a spate of new GPG key announcements from
various DDs, and caused worry amongst others that action needs to be
taken.
My attitude to this is that yes, people should be considering replacing
their existing GPG keys with something stronger using SHA256 or better
for signatures (and a keysize of greater than 1024 bits). However this
should not be done at the expense of our Web of Trust; I don't believe
the situation warrants an instant key rollover. A more sensible approach
is new key generation now followed by spending the next 6 months or so
getting a decent number of cross signatures for that key before asking
for replacement.
So, some guidelines about key replacement to help ensure that newly
generated keys are integrated into the WoT and the removal of old keys
doesn't cause undue damage:
* The new key should be signed by at least 2 existing DD keys. More is
good.
* Replacement of the old key with the new one should not cause any other
key to no longer be in Debian's Web of Trust nor strongly connected
subset.
* Replacement of the old key with the new one should not cause a
significant weakening of Debian's Web of Trust. I don't have exact
figures for this at present, but it'll be based on the Betweenness
Centrality and mean-minimum-distance calculations most probably.
* Including a published transition document signed by both keys or a
revocation certificate for the old key will be looked upon favourably.
* The new key should be signed by the old one.
Note these are guidelines, not hard and fast rules. The usual due care
and attention should be paid to issuing signatures and cases where
developers are unable to maintain as well connected a key easily will be
listened to.
Requests for replacement should be done via the normal procedure; a
*clear signed* (RT mangles PGP/MIME) request to keyring@rt.debian.org
with "Debian RT" in the subject, along with something descriptive.
Also I recently sent out mail to all those DDs who currently have both
PGPv3 and PGPv4 keys in our keyrings asking if the PGPv3 key could be
removed without causing disruption. So far I've had replies to fewer
than half of these mails. If you have received one and not yet replied
please do so; there are various weaknesses in v3 keys that mean that we
should be ceasing our use of them. Equally if you only have a v3 key at
present please look at generating a suitably strong v4 key and getting
it well integrated into the Web of Trust. I am more concerned with
ridding us of PGPv3 keys than SHA-1.
Finally thanks to the alioth admins the bzr tree used for maintaining
the keyring is now publicly accessible via:
bzr branch http://bzr.debian.org/keyring/debian-keyring/
or via the loggerhead web interface at:
http://bzr.debian.org/loggerhead/keyring/debian-keyring/changes
Note that this tree is only a copy of the master tree and will only be
updated at the points when the master tree is promoted to the live
keyring - so activity will appear bursty but that doesn't mean it's
stalled.
Useful links:
HOWTO prep for migration off SHA-1 in OpenPGP:
http://www.debian-administration.org/users/dkg/weblog/48
Betweenness Centrality in the Web of Trust:
http://pestilenz.org/cgi-bin/blosxom.cgi/2004/12/09#wot
A look at the Debian Web of Trust over time:
http://www.earth.li/~noodles/blog/2009/05/breaking-the-web-of-trust.html
J.
--
Most people are descended from apes. Redheads are descended from cats.